Security researcher David Wells from Tenable discovered a vulnerability that affects the “Zoom Desktop Conferencing App.” The vulnerability, which existed because of incorrect message validation, could allow a threat actor to gain the ability to execute unauthorized commands on a machine running the affected Zoom application. In addition to the ability the download and execute malware, an actor could also create fake messages, remove meeting attendees, and take control of a presenter’s screen. An actor would need to know the Zoom server IP address and inject custom-created UDP packets into ongoing sessions to exploit this vulnerability.

Recommendation: Your company should have policies in place in regards to maintaining software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information, and associated proof-of-concept code of an exploit, discussing the vulnerability details is often posted in public sources. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many user and administrators do not apply security updates.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.